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In this paper we propose an algebra of synchronous scheduling interfaces which combines the expres- 
siveness of Boolean algebra for logical and functional behaviour with the min-max-plus arithmetic 
for quantifying the non-functional aspects of synchronous interfaces. The interface theory arises from 
a realisability interpretation of intuitionistic modal logic (also known as Curry-Howard-Isomorphism 
or propositions-as-types principle). The resulting algebra of interface types aims to provide a general 
setting for specifying type-directed and compositional analyses of worst-case scheduling bounds. 
It covers synchronous control flow under concurrent, multi-processing or multi-threading execution 
and permits precise statements about exactness and coverage of the analyses supporting a variety 
of abstractions. The paper illustrates the expressiveness of the algebra by way of some examples 
taken from network flow problems, shortest-path, task scheduling and worst-case reaction times in 
synchronous programming. 

1 Introduction 

The algebra discussed in this paper aims at the specification of behavioural interfaces under the execution 
model of synchronous programming. Such interfaces abstract externally observable Boolean controls 
for components activated under the regime of a global synchronous scheduler familiar from data-flow 
oriented languages such as Lustre 1.1 LI . Signal [8|, Lucid Synchrone Ii24 J . or imperative control-flow 
oriented languages such as Statecharts |[T2ll23]| . Esterel [5J and Quartz ||25]| . In this model computations 
are coordinated under one or more global system clocks, which may be physical or logical. They divide 
physical time into a sequence of discrete ticks, or instants. During each instant the synchronous com- 
ponents interact using broadcast signals, which can have one of two statuses, present or absent. These 
signal statuses evolve monotonically as they are propagated through the system, generating the emission 
or inhibition of further signals and computations. Under the synchrony hypothesis lITOll it is assumed 
that at each instant, outputs are synchronous with the inputs. In other words, computations take place 
instantaneously and appear to happen at each tick "all at once." 

The synchrony hypothesis conveniently abstracts internal, possibly distributed computations into 
atomic reactions, making signals appear almost like Boolean variables and (stateful) interfaces almost 
like Mealy automata with Boolean labels. Unfortunately, this abstraction is not perfect, so that Boolean 
algebra is insufficient. First, it is well-known fT4','20'| that classical two- valued Boolean analysis is inad- 
equate to handle the causality and compositionality problems associated with the synchrony hypothesis 
adequately. E.g., Boolean algebra by itself cannot guarantee there are no races between signal presence 
and absence, thus guaranteeing unique convergence after a finite number of signal propagation steps. 
Some form of causality information needs to be preserved. Secondly, quite practically, in many appli- 
cations we want to compute non-Boolean information about otherwise "instantaneous" control signals, 
such as latency or worst-case reaction times, maximal throughput, earliest deadlines, or other quanti- 
tative information about the scheduling process. This provides one way to motivate the work reported 
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here, viz. the search for a fully abstract synchronisation algebra as an economic refinement of classi- 
cal Boolean algebra in situations where Booleans are subject to synchronous schedules and quantitative 
resource consumption. 

Another motivation may be drawn from the arithmetical point of view. One of the challenges in 
quantitative resource analysis is the clever interchange (distribution) of max, min and +. For instance, 
consider the analysis of worst-case reaction times (WCRT). In its simplest form, given a weighted de- 
pendency graph, the WCRT is the maximum of all sums of paths delays, an expression of the form 
max{Y.i^p^dii,Y,iep2'^i2j ■ ■ ■ :lliep„'^in) where pj are execution paths of the system and dij the delay of 
path segment / in path pj. As it happens, the number n of paths is exponential in the number of elemen- 
tary nodes of a system. Practicable WCRT analyses therefore reduce the max-of-sums to the polynomial 
complexity of sum-of-maxes (dynamic programming on dependency graphs) employing various forms 
of dependency abstraction. For illustration, imagine two alternative path segments of length d\^, e\ se- 
quentially followed by two alternative path segments of length d2, ^2> respectively. The distribution 
max{d\ +d2,di +e2,e\ +d2,ei +62) = max{d\,e\) +max{d2,e2) for efficiently calculating the longest 
possible path, is exact only if we have a full set of path combinations. In general, there will be dependen- 
cies ruling out certain paths, in which case sum-of-maxes obtains but conservative over-approximations. 
E.g., assume the combination of di with 62 is infeasible. Then, the sum-of-maxes is not exact since 
max{di,ei) +max{d2,e2) > max{d\ +d2,e\ +d2,e\ +^2). On the other hand, knowing the infeasibil- 
ity of d\ +62 we would rather compute max{d\ +d2,e\ +max{d2,e2)) = max{d\ +d2,e\ +d2,ei +62) 
which eliminates one addition and thus is both exact and more efficient than the full conservative max- 
of-sums. The same applies to min-plus problems such as shortest path or network flow. In the former, 
the efficient sum-of-mins is an under-approximation of the exact min-of-sums on all feasible paths. For 
network flow the arithmetic is complicated further by the fact that min/max do not distribute over +, i.e., 
min{d,e\ +€2) / min{d,e\) + min{d,e2) which obstructs simple linear programming techniques. 

The art of scheduling analysis consists in finding a judicious trade-off between merging paths early 
in order to aggregate data on the one hand, and refining dependency paths by case analysis for the sake 
of exactness, on the other hand. A scheduling algebra for practicable algorithms must be able to express 
and control this trade-off. In this paper we present an interface theory which achieves this by coupling 
resource weights d with logic formulas <p. A pair d : <p specifies the semantic meaning of d within 
the control-flow of a program module. Logical operations on the formulas then go hand-in-hand with 
arithmetic operations on resources. E.g., suppose a schedule activates control points X and Y with a cost 
of di and d2, respectively, expressed di : oX Ad2 : oY. If the threads are resource concurrent then both 
controls are jointly active within the maximum, i.e., max{di,d2) '■ o[X AY). If we are only concerned 
whether one of the controls is reached, then we take the minimum min{di,d2) : o[X (BY). If activations 
of X and Y requires interleaving of resources, then we must use addition di +d2 '■ o{X 0Y). 

Our interface theory combines min-max-plus algebra {N 00, min, max, +,0, —00, +00), see e.g. H, with 
a refinement of Boolean algebra to reason about logical control-flow. It features two conjunctions A, (>S> to 
distinguish concurrent from multi-threading parallelism, two disjunctions V, ® to separate external from 
internal scheduling choices, respectively. A consequence of its constructive nature, our algebra replaces 
classical negation by a weaker and more expressive pseudo-complement for which x = x and x + x= \ 
are no longer tautologies. This turns Boolean into a so-called Heyting algebra. The work presented here 
is an extension and adaptation of our earlier work on propositional stabilisation theory fT\\ which has 
been developed to provide a semantic foundation for combinational timing analyses. 

The plan for the paper is as follows: To start with, Sec.[2]lays out the syntactic and semantical ground- 
work for our interface type theory which is then studied in some more detail in Sec.|3] For compactness 
we keep these theoretical Sections |2] and [3] fairly condensed, postponing examples to Sees. [4] and [5] In 
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the former, Sec.[4j we sketch applications to network flow, shortest path and task scheduling, while in 
Sec. |5] we discuss the problem of WCRT analysis for Esterel-style synchronous processing. The paper 
concludes in Sec. [6] with a discussion of related work. 

2 Syntax and Semantics of Synchronous Scheduling Interfaces 

Synchronous scheduling assumes that all dependencies in the control flow of a single instant are acyclic 
and the propagation of control, for all threads, is a monotonic process in which each atomic control point 
is only ever activated at most once. Let V be a set of signals, or control variables, which specify the 
atomic control points in the interface of a synchronous module. An event is a subset £" C V of control 
variables. A synchronous activation sequence, or simply an activation, is a monotonically increasing 
function a G n — )• 2^ from« = {0, 1, . . . — 1} into the set of events, i.e., a{i) C a{j) for allO <i< j <n. 
The length \a\ of a is the number of events it contains, i.e., |a| = n. The unique activation of length 
= is called the empty activation, also denoted 0. 

Activations model the monotonic process of signal propagation during one synchronous instant, i.e., 
between two ticks of the logical clock. They induce a Boolean valuation on the control variables in the 
sense that A G V may be considered "present" for the instant if A G a (/) for some < / < | a | and "absent" 
otherwise. In the former case, index / is the activation level for the presence of control A. In general, the 
domain n over which an activation is defined acts as a discrete domain of quantifiable resources which 
are consumed by control variables becoming active at different resource levels. In this way, activation 
sequences give an operational understanding of truth values that is faithful to causality and resource 
consumption. A canonical interpretation is the temporal reading: The length |cj| is the duration of the 
synchronous instant, i.e., the overall reaction time, and A G o{i) means that A is activated, or is present 
from micro-step /. 

Definition 2.1 Let o n^2^ be an activation. 

• A sub-activation o' Q O of o is an activation g' £ m^2^ such that there exists a strictly mono- 
tonic function f ^m^ n with o'{i) = o{f{i))for all i G m. 

• We write o = 0\\J O2 to express that sub-activations CJi , 02 ^ cr form an activation cover of o, 
or an interleaving decomposition in the sense that each event is contained in Oi or in 02, Le., 
V/ G I a 1 . 37 = 1 , 2 . 3^ G \ <Jj\.i = fj{k) where fj are the index embeddings of Oj, j = 1,2. 

• For every i we define the shifted activation a[/, :] : m — )■ 2^, where m =df {j | < j + / < 
and a[/,:](j) =df o{i + i). 

A shifted activation is also a sub-activation, a[/, :] C a. We have a[/, :] = if a = or if / > |a|. 
The shift operator is monotonic wrt sub-activations and antitonic wrt resource level, i.e., if a' C a and 
< / < 7 then o'[i, :] C o[i, :]. This depends on strict monotonicity of the index embedding in o' C a. 

In order to model non-determinism (abstracting from internal parameters or external environment) 
our interfaces are interpreted over subsets E of activation sequences, called (synchronous) schedules. 
These schedules (of a program, a module, or any other program fragment) will be specified by a schedul- 
ing type <p generated by the logical operators 

::= A I true \ false \ 0A0 | -i0 | 0150 | 0V0 | 0©0 | <p 0^ \ o(j) 



generated from control variables A G V. We will write £ |= (a |= 0) to say that schedule £ (activation a) 
satisfies the type 0. The semantics of types is formally defined below in Def. 2.2 As a type specification. 



Michael Mendler 



31 



each control variable A G V represents the guarantee that "A is active ( the signal is present, the program 
label has been traversed, the state is activated) in all activations ofL". The constant true is satisfied 
by all schedules and false only by the empty schedule or the schedule which contains only the empty 
activation. The type operators D are negation and implication. The operators V and © are two 
forms of logical disjunction to encode internal and external non-determinism and A, (8> are two forms 
of logical conjunction related to true concurrency and interleaving concurrency, respectively. Finally, 
o is the operator to express resource consumption. The usual bracketing conventions apply: The unary 
operators o have highest binding power, implication D binds most weakly and the multiplicatives A, (8> 
are stronger than the summations V, ©. Occasionally, bi-implication = i/a is useful as an abbreviation 
for (0 D va) A (i//^ D (p). Also, we note that -i0 is equivalent to <p D false. 

A scheduling type <p by itself only captures the functional aspect of an interface. To get a full interface 
we need to enrich types by resource information. To this end, we associate with every scheduling type <p 
a set of scheduling bounds Bnd{^) recursively as follows: 

Bndifalse) = I Bnd{true) = \ 

Bnd{A) = \ Bnd{^^) = \ 

Bnd{<j) A y) = Bnd{^) x Bnd{^r) Bnd{(j> V = Bnd{^) + Bnd{^r) 

Bnd{^ ®Y)= Bnd{(l)) x Bnd{Y) Bnd{<p ^ V) = Bnd{<p) Bnd{Y) 

Bnd{o<p) = N»o xBnd{^) Bnd{<i)®^r) =Bnd{<p) xBnd{\l/), 

where I = {0} is a distinguished singleton set. Elements of the disjoint sum Bnd{(j)) + Bnd{\i/) are 
presented as pairs (0,/) where / G Bnd{<p) or {l,g) where g G Bnd{\l/). The set Bnd{<p) x Bnd{Y) is the 
Cartesian product of the sets Bnd{(p) and Bnd{\l/) and Bnd{<p) — Bnd{\l/) the set of total functions from 
Bnd{<p) to Bnd{\l/). Intuitively, an element / G Bnd{<p) may be seen as a form of generalised higher-order 
resource matrix for schedules of shape ^. 

Definition 2.2 A scheduling interface is a pair f : consisting of a scheduling type and a scheduling 
bound f G Bnd{<p). An activation o satisfies an interface f : (j), or satisfies the scheduling type with 
bound f, written a |= / : 0, according to the following inductive rules: 
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A schedule Z satisfies with bound f, written E |= / : 0, if for all a £ 1., G \= f : <p. A schedule satisfies 
or is bounded /or ^ if there exists f G Bnd{^) such that £ |= / : 0. 



The semantics £ |= / : as formalised in Def. 2.2 is a ternary relation: It links schedules, types and 



bounds. The symbol |= separates the behavioural model £ from the formal interface / : 0. The latter, 
in turn, combines a qualitative and a quantitative aspect. The type captures the causal relationships 
between the control points and the bound / G Bnd{^) refines this quantitatively by weaving in concrete 
activation levels. The colon : is a binary connective which separates these concerns. 



32 



An Algebra of Synchronous Scheduling Interfaces 



Proposition 2.3 a |= / : and a' C a implies a' \= f : (j). Moreover, |a| = implies a \= f : ^. 



Prop. 2.3 says that interfaces are inherited by sub-activations. This is natural since a sub-activation 
selects a subset of events and thus (in general) contains more control variables with lower activation dis- 
tances. The degenerated case is the empty activation which is inconsistent and thus satisfies all interfaces, 
including the strongest specification -.false, viz. ''everything is true with zero resource consumption" . 



The most general way to use the semantic relation of Def. 2.2 is to consider the set of (typically 
abstracted) activations for a given module P as a schedule Zp, and then determine a suitable interface for 
it. Any such / : with £p ^ / : may be taken as a valid interface specification of P giving a quantified 
behavioural guarantee for all activations a G £p under the given scheduling assumptions. Ideally, we are 
interested in the best fitting or tightest interface, if such exists. To measure the relative strength of an 



interface we employ Def. 2.2 to associate with every pair / : the schedule [[/ : 0]] = { a | o \= f : ^} 
which is the semantic meaning of the interface. Interfaces may then be compared naturally. The smaller 
the set of associated activations [[/ : 0]] the tighter is the interface / : 0. Formally, we write 

f:<^^g:W if If-n^h-^^ 

and / : = ^ : i/A in case [[/ : 0]] = [[^ : We call an interface / : ^ tight for Zp if it is minimal wrt 
<, i.e., whenever g : y < f : (j) and Lp \= g : y then f : ^ = g : Y- ^ tight interface provides exact 
information about Zp in both the functional and the resource dimensions within the expressiveness of 
our typing language. Typically, however, we are given some schedule £p together with a fixed type <p 
and ask for a minimal bound / such that Zp |= / : . If such a tight bound exists and is unique we call it 
worst-case for 0. 

We generalise equivalence to arbitrary types, taking = i/A to mean that for every / G Bnd{<^) there 
is g G Bnd{Y) such that f : <p = g : y and vice versa, for each g G Bnd{Y) we can find / G Bnd{^) 
with g : Y — f '■ <!>■ The main purpose of the relations ^ and = is to justify strengthening, weakening or 
semantics-preserving, transformations to handle interfaces as tightly as sensible. They are the basis of 
the interface algebra, some of whose laws will be studied next. 



3 The Algebra of Scheduling Types 

The set of scheduling bounds Bnd{<p) captures the amount of resource information associated with a 
type ^. In this respect the most simple class of types is that for which Bnd{(p) is (order) isomorphic 
to 1. Such types are called pure since they do not carry resource information and thus specify only 
functional behaviour. It will be convenient to exploit the isomorphisms Bnd{(^) = I and identify all 
bounds / G Bnd{Q of a pure type canonically with the unique G 1. Further, since it is unique, we 
may as well drop the (non-informative) bound and simply write instead of : i^. This means, e.g., that 
A ^2, (0,0) : Ci A ^2 and : Ci A ^2 are all identified. 
Second, with this simplification on pure types in place, we may mix bounds and types and apply 
the type operators to full interfaces. Since / : (p specifies individual activations it formally behaves like 
an atomic statement. Hence, it is possible to use interfaces / : (p themselves as generalised "control 
variables" in types such as (/ : 0) A i//^ or o(/ : 0). We simply define 

Bndif : 0) =^f i a 1= : (/ : 0) iff a 1= / : 

which turns an interface / : (j) into a pure type. Then, e.g., [[/ : Ag : = [[(0,0) : {f : (j) Ag : Y)]i = 
[[0 : if ■.<P)mO:{8:¥)l = [[f--m[[8 ■■¥]]■ 
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A few basic facts about the interface algebra arising from Def. 2.2 are readily derived. Not really 
surprisingly, true and false are complements, -ttrue = false, -^false = true as well as ntutral false ® ^ = 
false (B<j> = true A<p = <p and dominant elements false A <p = false, true (B<p = true V <p = true (8) = true. 
Shifting a type by — oo and +oo produces the strongest and weakest statements/aZ^e and true, respectively: 

Proposition 3.1 For arbitrary types <p, — oo : o0 = false and +oo : o(p = true. 

All operators V, A, © and are commutative. The pairs V -H- A and ©OA fully distribute over 
each other, while © distributes over both © and V, but not the other way round. Between © and A no 
distribution is possible, in general. One can show that the fragment V, A, false, D satisfies the laws of 



Hey ting algebras seen in Prop. 3.2 



Proposition 3.2 For arbitrary types <pi, 02, Y- 



(01 A(/>2) D Y 

(01 V 02) D 

false D \j/ 
Y D false 



= true 

= 01 D (02 D V^) 

= (01 D V^) A (02 D W) 

= true 



01 D (02^01) 
(01 3 02) A 01 
VAD (01 A 02) 

Xj/ D true 
true D Xj/ 



= true 

= 01 A02 

= (VAD0i)A(VAD02) 
= true 



It is worthwhile to observe that the classical principles of the Excluded Middle A © and A V -lA 
are both different and not universally valid in WCRT algebra. The latter says A is static, i.e., A is present 
in all activations or absent in all activations, the former that signal A is stable, i.e., in each activation 
individually, A is either present from the start or never becomes active. Clearly, not every signal is 
static or stable. The absence of the axioms A © -lA, A V -lA, which arises naturally from the activation 
semantics, is a definitive characteristics of intuitionistic logic or Heyting algebra. This feature is crucial 
to handle the semantics of synchronous languages in a compositional and fully abstract way 1.20.1 . 



Boolean Types. An important sub-class of pure types are negated types -i0. They express universal 
statements about each singleton event of each activation sequence in a schedule. For instance, £ |= 
-■(A©B) says that no event a(/) C V (0 < / < |a|) in any a G £ contains A or B. Similarly, -■(A D B) 
states that A is present and B is absent in every event of every activation sequence, which is the same as 
-1-1 (A A -iB). Negated types are expressively equivalent to, and can be transformed into. Boolean types 
obtained from the following grammar, where is an arbitrary type: 

j8 ::= true \ false |A|^j8|j8Aj8|j8©jS|0Dj3. 

Proposition 3.3 The Boolean types form a Boolean algebra with -i, A, © as classical complement, 
conjunction and disjunction, respectively. Moreover, £ |= j3 iff for every a G £ and i £ \o\ the event 
<j{i) C V satisfies p as a classical Boolean formula in control variables V. 



A consequence of Prop. 3.3 is that the interface algebra contains ordinary classical Boolean algebra as 
the fragment of Boolean types. In particular, for Boolean types the Double Negation principle -i-ij3 = j8 
and Excluded Middle -ijS © j8 = true hold as well as the De-Morgan Laws -i(j8i A pi) = -'jSi © -ij82 and 
-i(j8i © P2) — ~'j8i A -ij82. Boolean types, like all types satisfying -i-i0 = or -i0 © = true, behave 
exactly like expressions of Boolean algebra, encapsulating a Boolean condition to be satisfied by each 
event in a sequence. 



34 



An Algebra of Synchronous Scheduling Interfaces 



Pure Types. The sum operator © takes us outside the sub-language of Boolean types. The reason is 
that the truth of ©, e.g., in stability A © -lA, depends on the global behaviour of an activation and cannot 
be reduced to a single Boolean condition. This is highlighted by the difference between a |= A © B 
which is the condition V/ G |a|, A G (j{i) or V/ G |a|, B G (j{i) and a ^ A©B which says V/ G |a|, A G 
C7(/) orB G cj(/). The larger class of pure types, which includes ©, give us the possibility to express 
"Boolean" conditions across activations, as opposed to Boolean types which act within activations. The 
pure types, denoted by meta-variable i^, are characterised syntactically as follows: 

C ::= ^ I CaC I CeC I C»C I 0:^^, 

where jS is Boolean and (j) is an arbitrary type. Notice that not only every Boolean type, but also every 
negation -i0 = Z) false, is pure according to this syntactic criterion. 

Proposition 3.4 Every pure type C, has a representation C, = 0,- j3,- over Boolean types j8,-. 

Elementary Types. Pure types have the special property that schedules E are bounded for them iff each 
individual activation a G £ is bounded, i.e., they express properties of individual activations. Formally, 
if Si ^ and £2 N C then £1 U£2 \= C- Disjunctions ^1 V C,2 and resource types o(^, in contrast, do 
not share this locality property: Although each activation a may satisfy or (^2, the schedule £ as 
a whole need not be resource-bounded for ^1 V ^2 as this would mean all activations satisfy or all 
satisfy ^2- Similarly, each individual activation a G £ may validate with some resource bound, without 
necessarily there being a single common bound for all activations in £. 

A useful class of types containing V and o are those for which Bnd{<^) is canonically order-isomor- 
phic to a Cartesian product of numbers, i.e., to N^, for some « > 0. These scheduling types with 
Bnd{<^) = are called elementary. They are generated by the grammar 

d ::= CI I 0©0 I d®e I oi; I 

where ^ is pure and is o-free. Elementary scheduling types are of special interest since their elements 
are first-order objects, i.e., vectors and matrices of natural numbers. 

Elementary interfaces specify the resource consumption of logical controls. For instance, a \= {d, 0) : 
oi^, given C = ©,j8,- (see Prop. \3A\ , says that a enters and remains inside a region of events described 
by one of the Boolean conditions jS, and consumes at most d resource units to do that. The special case 
a \=d : ofalse says that a consumes no more than d units during any instant. Similarly, a |= D {d,0) : 

with = ©,j3, and ^ = (BjYj says that every sub-activation a' C a that runs fully inside one of the 
regions j8, must reach one of the regions 7, with resources bounded by d. Then, a \= D {d,0) : ofalse 
means that a consumes no more than d units while staying in any of the regions j8,. 

To compactify the notation we will write tuples {d\,d2) for the bounds ( (t/i , 0) , (<3f2 , 0) ) G (Ntx, x 1) x 
(Noo X 1) = Noo X Noo of types such as ol^\@ol^2, ^°^2, °^\^°^2- We apply this simplification 
also to bounds / G 1 — )■ Noo x 1 = Noo for types such as l^i D 0(^2- We write [d] : i^i D 0(^2, treating 
the bracketed value [d] like a function Xx. {d,0). In fact, [d] : i^i D 01^2 is the special case of a 1 x 1 
matrix. We will systematically write column vectors [d\ ; J2] instead of Ax. ( {d\ , 0) , {d2 , 0) ) for the bounds 
of types such as D o^i © 0^2, C ^ °Ci A 01^2 or ^ D oi^i © 0^2, and row-vectors [di,d2] in place of 
Ax.casexof [(0,0) — ^ (Ji,0), (1,0) — > (t/2,0)] for types i^i V ^2 ^ Our linearised matrix notation uses 
semicolon for row-wise and ordinary colon for columns-wise composition of sub-matrices. Specifically, 
[di\;d2i,du',d22] and [dii,di2;d2i,d22] denote the same 2x2 matrix. 
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In the following Secs.[4]and[5]we are going illustrate different sub-algebras of specialised elementary 
types to manipulate combined functional and quantitative information and to facilitate interface abstrac- 
tions. These generalise the algebra of dioids H [171 to full max-min-plus, obtaining an equally tight as 
uniform combination of scheduling algebra and logical reasoning. 



4 Examples I: Network Flow, Shortest Path, Task Scheduling 

The logical operations on types control the arithmetical operations on resource bounds. The next two 



Props. 4.1 and |4.2| sum up some important basic facts. 

Proposition 4.1 The arithmetic operations min, max and + compute worst-case bounds such that 
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The law ([T]l expresses a sequential composition of an offset by di from control point ^\ to ^2 with 
a further shift of d2 from (^2 to (^3. The best guarantee we can give for the cost between and (^3 is 
the addition di +d2- The bounds [di] and [^2] act like typed functions with [di +d2] being function 
composition, [d2] ■[di] = [di +^2]- This is nothing but the multiphcation of 1 x 1 matrices in max-plus or 
min-plus algebra. The law (|2]) is conjunctive forking: If it takes at most di units from to some control 
point ^1 and at most d2 to ^2, then we know that within max{d\,d2) we have activated both together, 
^1 A C,2. A special case of this occurs when = true, i.e., dy : 0^1 A J2 : — max{di,d2) '■ 0(^1 A (^2)- 
Now suppose conjunction is replaced by sum i^i © (^2> i-C, we are only interested in activating one of ^1 
or i^2, but do not care which. The worst-case bound for this disjunctive forking is the minimum, as seen 
in ([3]). Again, there is the special case di : oi^i Ad2 : 0^2 — min{d\,d2) '■ o((^i © (^2)- Dually, disjunctive 
joins (|4]) are governed by the maximum: Suppose that starting in ^1 activates with at most d\ cost and 
starting in C,2 takes at most d2 resource units. Then, if we only know the activation starts from ^1 or (^2 
but not which, we can obtain ^ if we are prepared to expend the maximum of both costs. If, however, we 
assume the schedule activates both and ^2, which amounts to conjunctive join, then the destination 
is obtained with the minimum of both shifts, see Q. 

Proposition 4.2 Let ^i, C,2 be pure types which are persistent in the sense that whenever o{k) \= ^ifor 
<k < then <j[k, :] |= i^,-, too. Then, 

Ji : o(^i©t/2 : 0C2 ^ ^^1+^/2 : o(?i©C2) (6) 
(t/i :o(^iA(Ci DC2))©(t/2:oC2A(C2 3Ci)) ^ ^/i +^^2 : A ^2)- (7) 



Consider ([6]) of Prop. 4.2 Suppose a schedule a splits into two (sub-)threads o = Oi U O2 each 
switching control i^i and (^2 consuming at most di and d2 units, respectively. Since they can be arbitrarily 
interleaved and we do not know which one completes first, all we can claim is a{k) \= i^i for some 
k <d\-\-d2 and / = 1,2. By persistence, this suffices to maintain i^,- from level k onwards, so that 
o \= d\ + d2 : o((^i © (^2)- Without imposing further assumptions, a sub-thread may be allocated an 
unknown number of resource units, thereby stalling the progress of the other, unboundedly. The situation 
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changes, however, if the Q are synchronisation points where the threads must give up control unless the 
other thread has passed its own synchronisation point (i ^ j), too. This is the content of ^ and 
specified formally by the additional constraints Q D i^j. 

Prop. 4.1 and |4.2| highlight how the arithmetic of min-max-plus algebra are guided by the logical 
semantics of interface types. From this vantage point, resource analysis is nothing but a semantics- 
consistent manipulation of a collection of numbers: Whether [di] : <pi , [dj] '■ </>2 are to be added, maximised 
or minimised depends on their types <pi and (p2- In particular, keeping track of the types will make the 
difference between a max-of-sums (sum-of-mins) as opposed to a sum-of-maxes (min-of-sums). 



4.1 Network Flow 



Consider the dependency graph in Fig. [T] with con- 
trol nodes Y = {A,B,C,D,E,F} and dependency 
edges labelled by positive integers. Let us as- 
sume the graph models a communication network 
in which control nodes represent packet routers 
and edges are directed point-to-point connections 
of limited bandwidth. For instance, the router at 
node D receives packets from routers B and C 
through channels of bandwidth 1 and 4, respec- 
tively. It forwards the incoming traffic to routers 




Figure 1 : Scheduling Dependency Graph A'^ 



E or F of bandwidth 5 and 4, respectively. The bandwidth measures the maximal amount of information 
that can travel across the channel per synchronisation instant. The analysis of the maximum throughput 
is a synchronous scheduling problem which can be modelled using interface types. 

We associate with the network N a scheduling type (p^, such that the amount of packets that can 
be pushed into a node X is given by the minimal d such that ^ X D d : ofalse, i.e., the maximal 
number of scheduling cycles that node X may be kept alive within any activation specified by <pi^. The 
idea is that if a G [[0a?]] is a valid activation of N then each cycle / G |a| such that X G o{i) represents 
a packet unit / sent through X. The event o{i) C V encodes the packet's path, i.e., the set of all routers 
that payload unit / is passing on its journey through the network. The statement o \=X d : ofalse then 
says that whenever X becomes alive in activation a it handles no more d packets. This number may vary 
between activations. The minimal d, bounding all activations in this way, is the maximal throughput 
at X permitted by specification ^n. Observe that both capacity values and — oo are equivalent, : 
ofalse = —oo : ofalse = false. In fact, the type X D : ofalse paraphrased "X forwards packets" and 
X D — oo : ofalse saying "X does not forward any packets", are the same statements and equivalent to -iX. 

Now consider node D again. Within the synchronous measurement instant, all packets arriving at D 
must be scheduled to leave through channels D ^ E or D ^ F. Consider an activation a |= D, i.e., all 
i £ \o\ are packets dispatched through D. Some of these will go to E, others to F and all go to one of 
the two. Hence there are sub-activations a = GiU G2 such that Oi \= E and 02 \= F. Also, because of 
the channel limitations, there can be at most 5 packet units of the former and 4 of the latter type. Thus, 
Oi \= E A5 : ofalse and 02 \= F A4 : ofalse. All in all, we have found the type specifying D and its 
connections in A/^ to be D D (£" A 5 : ofalse) (g) (_F A 4 : ofalse). 

The tensor is used to model the output branching at a node. Observe that if we increase one of 
the channel capacities to +00, say the one giving access to E, we get D D {E A +00 : ofalse) ® {F A4 : 
ofalse) = D D E ® {F A4 : ofalse) because E A +°° : ofalse = E A true = E. This means the channel 
D ^ E does not impose any further constraints on the throughput besides what E prescribes. If we 
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decrease the capacity to 0, the type reduces to D D (£ AO : ofalse) (g) (F A4 : ofalse) = D D F A4 : ofalse 
since SAO: ofalse = E A false = false and false (g) = . Hence, a capacity of behaves as if the 
channel was cut off completely. Consequently, the degenerated case of a node X without any exits would 
be specified by X D false or -iX. If we conjoin the types for all nodes of as seen in Fig.[T] we get 

<I>N =df true D (A A +oo : ofalse) (8) 

AAZ){{BA5:ofalse)®{CM>:ofalse)) (9) 

A B D ((£■ A 2 : ofalse) (D A 1 : ofalse)) (10) 

A C D ((D A 4 : ofalse) Cd{F A%: ofalse)) (11) 

AD D ((£■ A5 : ofalse) (g) (F A4 : ofalse)) (12) 

AEDiFAl: ofalse) (13) 

AF D {true A +oo : ofalse) . (14) 

Type ([8]) designates A as the source node of the network. It formalises a source channel of infinite 
capacity permitting the global environment, represented by the logical control true, to push as many 
packets as possible into A. Analogously, destination node F (\A\ returns packets back to the external 
environment. Again, this sink channel has infinite capacity, since all packets arriving at F will delivered. 

The throughput cIn of N is the smallest d such that <pN : ofalse. To get the "exact" or "optimal" 
bound we must explore the network in breadth and depth. The analysis strategy involves non-linear 
global optimisation such as the Ford-Fulkerson or Goldberg's Preflow-Push algorithms. This is not the 
place to review these algorithm. We shall merely indicate how their logical content can be coded in type 
theory. Consider that each of the network implications ([8|)-([T4l) of the form X D (gy {Y Ady '■ ofalse) can 



be used as an equation X = X A (g)y (F A t/y : ofalse) for transformations by substitution. For example, 
proceeding forwards from the source A, breadth-first, we can derive 



^ A A ((B A 5 : ofalse) (g (C A 3 : ofalse)) 

= A A ((B A ((£■ A 2 : ofalse) (g (D A 1 : ofalse)) A 5 : ofalse) 

(g (C A ( (D A 4 : ofalse) (F A 8 : ofalse)) A 3 : ofalse) ) 
^ {{A ABAEA2: ofalse) (15) 
{AAB AD A\: ofalse)) (16) 
(g){i{AAC AD A3 -.ofalse) (17) 
(g(AACAFA3 : ofalse)) A3 : ofalse), (18) 

using the special A/(g distribution X A ( 0i (g 02 ) — A 0i ) (g (X A 02 ) for atoms X € V, and the derivable 
laws ((01 Adi : ofalse) (g) {<^Ad2 ■ ofalse)) A e : ofalse = (0i Adi : ofalse) (g {^Ad2 '■ ofalse) for e>d\ + 
d2 and ((0i Adi : ofalse) (gi (02 A ^2 : ofalse)) A e : ofalse = (0i Ae : ofalse) (g) (02 Ae : ofalse) A e : ofalse 
for e < min [d\,d2)- 

The type ([T5])-(fT8|) describes the resource usage of packets entering the network up to a depth of 3 
nodes, classifying them into 4 separate flows: The packets from ( fTS] ) pass through A — )• B — > £" and can 
occupy at most 2 bandwidth units, those from ([16]) follow the path A — B — D and have a volume of at 



most 1 unit. Furthermore, the packets ( [17) travelling along A — )■ C — D or ( [T8| ) on path A — )• C — >• F each 
have at most volume 3, as specified byAACADA3 : ofalse and A A C A F A 3 : ofalse. Moreover, their 
sum must not exceed the limit 3 either, as enforced by the extra outer conjunct 3 : ofalse. The maximal 
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flow through the network can be obtained by applying the (in-)equations ([T5)-([T8]) in this fashion until 



saturation is achieved, when all logical controls may be dropped, turning equation = into inequation ^: 

true ^ A = ■■■ 

^ {{AABAE AF A2 : ofalse) 

(8)(AABADAFA1 : ofalse)) 
(g)(((((AACADAFA3 : ofalse) 

0{AACADAEAFA2: ofalse) ) A 3 : ofalse) 
®(AACAFA3: ofalse)) A 3 : ofalse) 
< (2 : ofalse 1 : ofalse) 

(8) ( ( ( (3 : ofalse (8) 2 : ofalse) A 3 : ofalse) (8> 3 : ofalse) A 3 : ofalse) = 6 : ofalse, 

using the laws d : ofalse A e : ofalse = min{d, e) : ofalse and d : ofalse e : ofalse = d + e : ofalse, derived 
from Q and ([6]), respectively. 

This saturation process is a fixed-point construction which may be implemented using a standard 
"max-flow" algorithm. Specifically, the graph algorithms of Ford-FuUcerson or Goldberg are efficient 
decision procedures for deciding the algebra induced by the fragment of types appearing in ((8l)-( 18 1. 



This sub-algebra of "logical numbers" provides a purely algebraic interpretation for these standard algo- 
rithms. It should be clear that the graph-theoretic information is coded in the syntactic structure of the 
types. However, in contrast to plain graphs, types are equipped with behavioural meaning in the form of 
scheduling sequences. They generate a plus-min algebra of scheduling sequences which is not a linear 
algebra, as it does not satisfy distribution. Specifically, e : ofalse A {di : ofalse 0d2 '■ ofalse) = min{e,di + 
^i) '■ ofalse :< min{e, d\ ) + min[e, ^2) : ofalse = {e : ofalse A di : ofalse) {e : ofalse A d2 '■ ofalse). This 
approximation offset, of course, is why max-flow problems are not linear matrix problems but require 
global search and relaxation methods. 



4.2 Shortest Path 

A different interpretation of the scheduling graph Fig. [T] reads the edge labels as distances and asks for 
the length of the shortest path through the network. This leads to an "inverted" network algebra: The 
sequential composition of edges is addition and the branching of edges at a node is associated with the 
minimum operation, whereas in the network flow situation of Sec. |4.1[ sequential composition corre- 
sponds to minimum and branching is addition. Not surprisingly, the shortest path interpretation invokes 
a different fragment of the type theory. Again, each node is a control variable V = {A,B,C,D,E,F}. 
An activation a models a journey through the network activating control nodes as it passes them. If a 
activates X at time /, then X G cj(/), and if it traverses an edge X with distance label d, then for 
some <k < d,Y ^ o{i + k). Hence a satisfies the type X D d : oY. If there are several outgoing edges 
X — )• Fi and X — )• F2 and a reaches X, then, because we are interested in the shortest path, we permit a 
to explore both branches "in parallel". Hence, a fulfils both implications X D d\ : oFj and X D d2- oF2- 
Following this idea, the network A/^ as given in Fig.[T]comes out as the type specification 

=df A D 5 : oB A A D 3 : oC A B D I : oD A B D 2 : oE 

ACd4:oD ACdS:oF A Dd5:oE A Dd4:oF A Ed2:oF. (19) 

The length of the shortest path between X and Y is the minimal d such that ^ X D d : oY. By ([T]l, 
sequentially connecting edges X D di : oY and Y D di '■ oZ yields X D di + d2 '■ oZ, and a choice of two 
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paths X D di : oZ and X D d2- oZ between the same start and end node, by ([3]) implies X D min{d\ , d2) '■ 
oZ as desired. Now the values of and — oo have different meaning: X D : oF is equivalent toX dY 
modelling an edge without cost. In contrast, X D — oo : oF is semantically the same as X D false which 
says that no activation reaches control node X. A distance +oo expresses absence of a connection since 
X D +00 : oY = X D true = true which does not give any information about how to reach Y from X. 

It is well-known how to compute shortest paths by linear programming. This exploits the distribution 
law ram{e + di,e + d2) = e + min{d\,d2), which permits us to organise the scheduling bounds in the 
network theory ([19]) in form of matrices and to manipulate them using typed matrix multiplications. For 
instance, we can combine the two outgoing edges of A into a single type 

(A d5 : oB) A (A D 3 : oC) ^ A D (5,3) : oBAoC ^ [5;3] :A D oBAoC, (20) 

where [5; 3] abbreviates the function Ax. ((5,0), (3,0)) interpreted as n column vector of numbers. Dually, 
the two incoming edges into node D can be combined into a single type 

(fi D 1 : oD) A (C D 4 : oD) ^ [1,4] : B VC D oD, (21) 

where [1,4] is the function Xx. case x of [0 — )• (1,0), 1 — )• (4,0)] thought of as a row vector. The type 
algebra, essentially ([T]l and ([3]), proves that the conjunction of both ( |20l ) and ( |2T] ) implies the matrix 
multiplication 

([5;3] :A D oBAoC) A([l,4] :BVCD oD) ^ mm(5 + 1,3 +4) : A D oD = [1,4] • [5;3] : A D oD 

in min-plus algebra. More generally, for every sub-network with source nodes X\,X2,. .. ,X„, and sink 
nodes Y\,Y2, ■ ■ ■ ,Yn we have an elementary type D : \/f^]Xi D A'j^joFy describing the shortest path be- 
tween any source to any target, in which the scheduling bound D G Bnd{{\Jf^^Xi) D '^"j^\°Yj) behaves 
like a. n xm matrix in min-plus algebra. For instance, take the decomposition of N into the edge sets 
Ni =af{A-^B,A-^C},N2=df{B-^E,B-^D,C-^D,C-^F} mdNi =df {D E,D F,E F}: 

D{Ni) = [5;3] :A D (oBAoC) 

D{N2) = [l;2;+oo,4;+oo;8] : (BVC) D {oDAoEAoF) 
D{N3) = [4,2,0] : (DVEVF) D oF. 

The shortest path from A to f is then obtained by multiplying these matrices 

[4,2,0] • [l;2;+oo,4;+oo;8] • [5;3] = [4,2,0] • [6;7;11] = 9 : A D oF 

in min-plus-algebra. The type-theoretic approach facilitates a compositional on-the-fly construction of 
the shortest path matrix. The pure algebraic technique would combine all the information in a global 
6x6 network matrix A'^ : (V^ev^) ^ {^xeY°X) where {N)xy = d < +oo if there exists an edge X D d :Y 
in Then, the shortest path matrix is N* = Id AN AN^ A - ■ ■ , where Id is the identity matrix with Os in 
the diagonal and +oo everywhere else and A is the operation of forming element-wise minimum, lifting 
the logical operation di : oX Ad2 : oX = min{d\,d2) '■ oX to matrices. The entries in N* are the shortest 
distances between any two nodes in the network. 

This way of solving shortest paths is well-known, of course. But now the behavioural typing permits 
us safely to play over- and under-approximation games which are difficult to control in pure algebra 
or graph theory without model-theoretic semantics. Just to give a simple example, suppose we wanted 
to derive a lower bound on the shortest path. Such can be obtained by identifying some of the control 
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nodes, i.e., pretending we could jump between them on our path to reach the destination. For instance, 
assuming C = B, we find that <pN AC = B ^ A D 1 : oF is the shortest distance. Since the conjunction 
AC = B specifies a subset of activations, the shortest distance between A and F relative to (/)/v A C = S 
is a lower bound on the shortest distance relative to (p^. It may be more efficient to compute since the 
network AC = B only has 5 different nodes rather than 6 as with 



4.3 Task Scheduling 

In yet another interpretation of network N the nodes are tasks and edges scheduling dependencies asso- 
ciated with upper bounds for task completion. Computing the worst-case completion time for the overall 



schedule, sequential composition of edges corresponds to addition as in the shortest path scenario Sec. 4.2 
but branching now involves maximum rather than the minimum. Again, this is induced by the logical 
nature of the problem, the fact that the input join now is conjunctive rather than disjunctive as before. For 
instance, task D in Fig.[T]cannot start before both tasks C and B have started with a set-up delay of 4 time 
units from the start of C and 1 unit from B. Let us assume the task activation times are included in these 
set-up delays. To model this type-theoretically we take the edges as the atomic control variables, i.e., 
V = {AC,AB,CD,CF,BD,BE,DE,DF,F}. Whenever XY G o{i), for ie\o\, this says that the edge XY 
is ready, i.e., the source task X is completed and the start token has arrived at the corresponding control 
input of target task Y. The node D establishes a logical-arithmetical relationship between its input edges 
CD, BD and its output edges DF, DE, given by CDABDd{4 : oDF) A (5 : oDE). Overall, 

[true D 3 : oAC A 5 : oAB) A (AC D 4 : oCD A 8 : oCF) 
A (AB D 1 : oBD A 2 : oBE) A ((CD A BD) D 4 : oDF A 5 : oDE) 
A {DEABE D 2 : oEF) A {CF ADF AEF D : oF). 

The critical path is the minimal d such that (pN ^ d : oF . It can be computed by linear programming 
involving matrix multiplication in max-plus algebra using essentially the laws ([T]) and ([2]). 



5 Examples II: Esterel-style Synchronous Multi-threading 

Like task scheduling in Sec. |4.3[ the timing analysis of Esterel programs |l6', f22\ involves max-plus 
algebra, yet takes place in an entirely different fragment of the type theory. Instead of implications 
^1 A (^2 ^ A as in Sec. |4.3| we employ dependencies of the form ^iV ^2 ^ © °^2, which 
are handled by ([T]) and (|4]) rather than ([T]) and Q. In addition, we use the tensor for capturing multi- 
threaded parallelism. Here we provide some further theoretical background for the work reported in [ 22l . 

Esterel programs communicate via signals, which are either present or absent during one instant. 
Signals are set present by the emit statement and tested with the present test. They are reset at the 
start of each instant. Esterel statements can be either combined in sequence ( ; ) or in parallel (II). 
The loop statement simply restarts its body when it terminates. All Esterel statements are considered 
instantaneous, except for the pause statement, which pauses for one instant, and derived statements like 
halt (= loop pause end), which stops forever. Esterel supports multiple forms of preemption, e. g., 
via the abort statement, which simply terminates its body when some trigger signal is present. Abortion 
can be either weak or strong. Weak abortion permits the activation of its body in the instant the trigger 
signal becomes active, strong abortion does not. Both kinds of abortions can be either immediate or 
delayed. The immediate version already senses for the trigger signal in the instant its body is entered, 
while the delayed version ignores it during the first instant in which the abort body is started. 
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Consider the Esterel fragment in Figure 2b It consists of two threads. The first thread G emits signals 
R, S, T depending on some input signal I. In any case, it emits signal U and terminates instantaneously. 
The thread H continuously emits signal R, until signal I occurs. Thereafter, it either halts, when E is 
present, or emits S and terminates otherwise, after having executed the skip statement nothing. 




% module T 
[ % thread G 

present I then emit R end present; 

present I else emit S; emit T end present; 

emit U; 

' % thread H 
weak abort 
loop 

pause;emit R 
end loop 
when Immediate I; 
present E then halt end present; 
emit S; nothing; 



(b) Esterel module T 



LOl 


TO: 


PAR 1,G0,1 


L02 




PAR 1,H0,2 


L03 




PARE Al 


L04 


GO: 


PRESENT LGl 


LOS 




EMIT R 


L06 


Gl: 


PRESENT LG3 


L07 




GOTO G2 


LOS 


G3: 


EMIT S 


L09 




EMIT T 


LIO 


G2: 


EMIT U 


Lll 


HO: 


WABORT I,H1 


L12 


H3: 


PAUSE 


L13 




EMIT R 


L14 




GOTO H3 


L15 


HI: 


PRESENT E,H2 


L16 




HALT 


L17 


H2: 


EMIT S 


L18 




NOTHING 


L19 


Al: 


JOIN 



(a) CKAG 



(c) KEP Assembler 



Figure 2: Esterel module T (b) with control-flow graph (a) and resulting KEP Assembler (c). 



The concurrent KEP assembler graph ITS] (CKAG, see Fig. 2a i captures the control flow, both 
standard control and abortions, of an Esterel program. The CKAG is derived from the Esterel program by 
structural translation. For a given CKAG, the generation of assembly code for the Kiel Esterel Processor 
(KEP) [18.,19J . executing synchronous parallelism by multi-threading, is straight- forward (see Fig. [2c]). 

Let S, L and M be disjoint sets of (input or output) signals, control flow labels and synchro- 
nisation states, respectively. For the Esterel module in Fig. [2] we have S = {I,E,R,S,T,l]}, L = 
{LO, . . . ,L20, GO, . . . , G3,H0, . . . ,H3}. As synchronisation states we use the names of the atomic de- 
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lay nodes, i.e., the pause, halt and join nodes, M = {vg, V13, vig}. These describe the different state 
bits of the synchronous automaton coded by the program block T. To distinguish the cases of a thread 
starting from or ending in a given state G M during an instant we use the modifiers out{s) and in{s). 
The former expresses that the thread is leaving from s at the beginning of the instant and the latter that 
it enters and terminates the instant in s. The set M+ =iif {out{s),in{s) \ s G M} collects these atomic 
statements. The set of control variables, specifying the atomic control points of a program module, is 
the union V = SULUM+. All the controls out{s) are stable, i.e., we may assume out{s) ® -^out{s). This 
is not true for controls in{s) which are switched on dynamically as the schedule enters a delay node. 

One possible activation of the Esterel module T in Fig. 2a would be as follows. Initially, control 
variable TO is set, so a(0) = {TO}. Then the PAR and PARE instructions making up the fork node vq 
are executed in line numbers LOl, L02, L03 of Fig. 2c each taking one instruction cycle (ic). The two 
PAR instructions set up internal counters for thread control, which does not change the set of events 
in the variables of Fig. 2a Hence, a(l) = a(2) = {TO}. After the PARE both control variable GO, 
HO become present bringing threads G and H to life. This means a(3) = {rO,GO,//0}. The next 
instruction could be any of the two first instructions of G or H. As it happens, the KEP Assembler 
Fig. 2c assigns higher priority to H so that our activation continues with wabort (node vg), i.e., a(4) = 
{r0,G0,//0,L12}. This brings up the pause instruction vg. Now, depending on whether signal / is 
present or not the activation of pause either moves to vu (weak immediate abort) or terminates. Let us 
assume the latter, i.e., a(5) = {r0,G0,//0,L12,/?i(v9)}, where thread H is finished up for the instant 
and has entered a wait state in node vg. The activation continues with the first instruction of G, the 
present node vi at label GO. Since / is assumed absent, its activation effects a jump to label Gl, i.e., 
a(6) = {r0,G0,//0,L12,m(v9),Gl}. Thereafter, we run sequentially through nodes V3, V5, vg, v? giving 
a(7) = a(6) U {G3}, a(8) = a(7) U {L9} and a(9) = a(8) U {LIO}. 

Executing the final emit instruction v? hits the join at entry Lll, so that CJ(IO) = {rO,GO,//0, 
L12, m(v9),Gl,G3,L9,L10,Lll}. Now both threads G and H are finished. While G is terminated and 
hands over to the main thread T for good, H is still pausing in vg. It takes one activation step of the 
join node vi6 to detect this and to terminate the synchronous instant of T with the final event cj(ll) = 
{r0,G0,//0,L12,/M(vg),Gl,G3,L9,L10,Lll,/?i(vi6)}. Overall, we get an activation of the outer-most 
main thread of T, a = a(0), . . . , a(l 1), starting from program label TO consisting of 12 ics in total. In the 
next logical instant when T is resumed in vig and vg, with initial event ct(0) = {out{v<)) ,out{v\^)} , and 
thread H eventually comes out at control point L19 (if signal / is present and E absent), then executing 
the join will bring us to control point L20 and out of T instantaneously. 

Activation sequences starting in control label TO and ending in L20 are called through paths, those 
starting in TO and pausing in a synchronisation state in{s), s G {vg, V13, vig}, are sink paths; source paths 
begin in a state out{s) and end in L20, while internal paths begin in a state and end in a state. 



Esterel lO-Interface Types. Our normal form interfaces to describe Esterel-KEP modules are of the 
form 6 = <p D with input control (j) = V"li Q and output control Y = 0i=i where the i^i and 
are pure types. The former captures all the possible ways in which a program module (or any other 
fragment) of type 6 can be started within an instant and the latter y sums up the ways in which it can 
be exited during the instant. Intuitively, Z |= says that whenever the schedule £ enters the fragment 
through one of the input controls Q then within some bounded number of ics it is guaranteed to exit 
through one of the output controls ^k- The disjunction V in the input control <p models the external 
non-determinism resolved by the environment which determines how a program block is started. On the 
output side i/a, the selection of which exit t,k is taken is expressed by © since it is an internal choice which 
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is dynamically resolved during each activation. Each delay operator o stands for a possibly different delay 
depending on which output is taken. Contrast this with an output control such as i/a = o(0^^j ^f-) 
which only specifies one bound for all exits ^j^. An interface bound T G Bnd{<p D y) can be understood 
as a « X m shaped timing matrix relative to the Boolean controls Q and serving as "base" vectors. 
The logical conjunction of these interfaces in a fixed set of such base controls corresponds to matrix 
multiplications in max-plus algebra. Furthermore, using logical reasoning on base controls Q, we can 
massage the semantics of timing matrices very much like we do with base transformations in ordinary 
linear algebra. Two important operations on lO-interfaces are matrix multiplication and the Kronecker 
product which in our scheduUng algebra are now strongly typed and thus receive semantic meaning in 
logical spaces. 



Transient and Sequential Submodules G and H. A full and exact WCRT specification encapsulating 
the synchronous block G as a component would require mention of program labels Gl, G3, G2 which are 
accessible from outside for jump statements. Therefore, the interface type for single-threaded scheduling 
of G would be [6,4, 3, 1] : GO V Gl V G3 V G2 D oLl 1. This is still not the exact description of G since 
it neither expresses the dependency of the WCRT on signal /, nor the emissions of R, S, T, U. For 
instance, if / is present then all threads must take control edges L5 and L7 rather than Gl or G3 which 
are blocked. If / is absent then both Gl and G3 must be taken instead. As a result the longest path 
vi + V2 + V3 + V5 + vg + V7 with delay 6 is not executable. To capture this, we consider signal / as another 
control input and refine the WCRT interface type of G: 

[5,5,3,4,3,1] : (GO A/) V (GO A ^/) V (Gl A/) V (Gl A^/) VG3 VG2 D oLll. (22) 

The inclusion of signal / in the interface has now resulted in the distinction of two different delay values 
3 and 4 for Gl D oLll depending on whether / is present or absent. On the other hand, GO, split into 
controls GO A / and GO A -■/, produces the same delay of 5 ics in both cases, which is a decrease of 
WCRT compared to [6] : GO D oLll from above. Assuming that input signal / is causally stable, i.e., 
/ © -i/ = true, it is possible to optimise the interface without losing precision: since (GO A /) © (GO A 
^/) = GO A (/ © ^/) = GO A true = GO the column vector [0; 0] : GO D o (GO A /) © o (GO A ^I) is sound 
and can be used to compress the two entries of value 5 in ( |22| ) into a single value 5 = max{5,5) giving 
[5,3,4,3,1] : GO V (Gl A/) V (Gl A -./) V G3 V G2 D oLll. In the same vein, but this time without 
referring to stability, we could further bundle Gl A / and G3 into a single control with the single delay 
[3] : (Gl A/) ©G3 D oLll at the same level of precision. This finally yields [5,3,4, 1] : GOV ((Gl A/) © 
G3) V (Gl A -i/) V G2 D oLl 1 . Still, if we only ever intend to use G as an encapsulated block with entry 
GO and exit LI 1 the following typing is sufficient: 

[5]:G0DoL11. (23) 

Now we take a look at the sequential control flow which starts and terminates in pause and halt 



nodes. Consider the sub-module H from Fig. 2a consisting of nodes vg-vis. Nodes wabort, emit, goto, 
present, nothing are transient and specified as before for G. But now the instantaneous paths are broken 
by the delay nodes vg and V13. 

First, consider the pause node vg. It can be entered by two controls, line number L12 and program 
label H3, and left via two exits, a non-instantaneous edge L13 and an instantaneous exit HI (weak 
abortion). When a control thread enters vg then either it terminates the current instant inside the node or 
leaves through the weak abort HI (data-dependent, if signal / is present) continuing the current reaction, 
instantaneously. A thread entering vg never exits through L13 in the same instant. On the other hand, if 
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a thread is started (resumed) from inside the pause node vg then control can only exit through L13. This 
suggests to specify the pause node as follows: 

[1;1,1;1] : //3 VL12 D 0//I ©om(v9) (24) 
[1] : out{v<)) D 0LI3. (25) 



The interface ( [24| ) says that if pause is entered through H3 or L12 it can be left through HI or terminate 
(in) inside the pause. In all cases activation takes 1 instruction cycle. Since there are no differences 
in the delays we could bundle the controls H3, LI 2 and compress the matrix ( |24l ) as [1] : //3 ©L12 D 
o(//l © in{v<))) without losing information. We could also record the dependency of control on signal /, 
with the more precise interface [1; -00, -00, 1] : ((//3 ©L12) A/) V ((//3 ©L12) A -./) D oHl ® oin{v9). 
This separates the threads which must stop inside the pause from those which must leave via HI due 



to a weak immediate abort on signal /. The specification (25 1 accounts for threads starting in the pause 



which must necessarily pass control to LI 3 within one instruction cycle. 



The halt node V13 in Fig. 2a is not only a sink for control threads entering through L16 but it also 
has an internal path of length 1 (which is repeated at every instant). It is specified by the interface 
[1,1] : (oMf(vi3) VL16) D om(vi3). By composition from the WCRT interfaces of nodes V12-V15 using 
matrix multiplications in max-plus algebra we get 

//= [5;4,7;6] -.HOVoutiH) D oL\9®oin{H) (26) 

recording the lengths of the longest through path vg + V9 + V12 + V14 + vu, sink path vs + vg + V12 + V13, 
source path vg + vio + vii + V9 + V12 + V14 + V15 and internal path vg + vio + vii +V9 + V12 + V13. 

Multi-threading Composition: Fork and Join. Finally, consider the two blocks G and H as they are 



combined inside the Esterel module T (Fig. 2a I and synchronised by fork and join nodes vq and v\(,. The 
main thread starts G and H in their initial controls, i.e., by activating GO A HO. Then, the executions 
of G and H are interleaved, depending on the priorities assigned by the compiler about which we shall 
make no assumptions. Child thread G can only run through its instantaneous path until it reaches Lll 
where it is stopped by the join. The sequential block H has two options: It can take its instantaneous 
through path stopping at L19 or it pauses in one of its delay nodes. In the former case we have reached 
Lll AL19, where the synchronising join takes over letting the main thread continue by instantaneously 
activating L20 within the same instant. In the latter case we have activated Lll f\in{H) where the 
synchronous instant is finished and the combined system pauses. Activation is resumed in the next 
instant from L 1 1 A out{H), while G is still inactive and waiting at LI 1 . Child thread H may either leave 
instantaneously through L19, giving Lll AL19 overall, or once more pause internally, leading again to 
LnMn{H). 

This synchronous composition is obtained by the Kronecker product GH =df G' where G' and 



H' are the stand-alone interfaces of G (|23]) and H (|26]) instrumented for the synchronisation: 



G' = Sync ^A[5,0\ :G0VL11 DoLll 

H' = Sync2A[5-A,l\€\ ■.HOyout{H) Z) oL\9 ® oin{H) . 

G is extended by the additional input control LI 1 and trivial path [0] : LI 1 D oLl 1 to let G start an instant 
from Lll when H is pausing. The conjunct Sync^ =df -iLll expresses the synchronisation whereby G 
finishes once it reaches Lll. Similarly, the conjunct Sync2 =df ^{L\9®in{H)) added to the interface (|26]l 
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stops H from continuing its activation instant past Lll or in{H). The Kronecker product G' ®H' now 
generates all possible interleaving of activations specified by type G' with those from type H': 

G'®//'^ [5,0]O[5;4,7;6] = [5 • [5;4,7;6],0- [5;4,7;6]] = [10;9, 12;11,5;4,7;6] 

: (GO A m) V (GO A out{H) ) V (LI 1 A //O) V (LI 1 A out{H) ) D o(Ll 1 A L19) o (LI 1 A in{H)). 

In the synchronised composition GH we are only interested in the (surface) paths initiated by GO A HO 
and the (depth) paths activated by the combination Lll f\out{H). All other paths cannot be activated 
inside the fork and join context. Thus, we drop these column vectors and only continue with 

GH = [10;9,12;ll,5;4,7;6]-[0;-oo;-oo;-oo,-oo;-oo;-oo,0] = [10;9,7;6] 
: (GOA//0) V(L11 AoMf(//)) D o(Lll AL19) eo(Lll A/?i(//)). 

This models the concurrent composition of G and H but not yet the interface of the composite block T 
with fork and join as depicted in Fig.|2a] These are additional components specified as 

join =[l;-oo,-oo;l] : (Lll A L19) V (Lll A /«(//)) D oLlQ®oin{T) 
fork=[3;-oo,-oo;0] : TQy out{T) D o(GOA//0)eo(Lll Aom?(//)) 



with new state controls in{T) and out{T) for module T . The JOIN instruction in line 19 of Fig. 2c is 
always executed upon termination of both threads from G and H inside T and the associated activation 
time of one ic is accounted for in the join interface above. Specifically, this is a through path [1] : 
(Lll AL19) D oL20 and source path [1] : LW Mn{H) D oin{T). The entry [3] : TO D o(GOA//0) of fork 
includes the ics for two PAR, one PARE from lines 1-3 of Fig. [2c] Adding fork and join on the input and 
output side then obtains 

r = [l;-oo,-oo;l].[l0;9,7;6]-[3;-oo,-oo;0] =[14;13,8;7] : TOV out{T) D oL20eoin{T) 

for the composite module T. Indeed, the longest through path is exemplified by the sequence of nodes 
vo(3) + {vi +V2 + V3 + V4 + V7}g(5) + {v8 + V9 + vi2+vi4 + vi5}//(5) +vi6(l) = 14. A lougcst sink path 
is vo(3) + {vi +V2 + V3 +V4 + V7}g(5) + {v8 + V9 + vi2 + vi3}//(4) +vi6(l) = 13. As a maximal source 
path we could take {}g(0) + {vg + vio + vn + vg + + V14 + vi5}//(7) + vi6(l) = 8 and as a possible 
longest internal path {}g(0) + {vg + vio + vn + vg + V12 + vi3}//(6) + vi6(l) = 7. 

In specific WCRT algorithms such as the one of [6] many of the matrix multiplications shown above 
are executed efficiently in the combinatorics of traversing the program's control flow graph forming 
maximum and additions as we go along. This is possible only so far as control flow dependencies 
are represented explicitly in the graph. In general, with data-dependencies, this may be an exponential 
problem so that symbolic techniques for modular analyses are needed. Our logical interface algebra can 
be used to keep track of the semantic meaning of WCRT data. Even without data-dependencies, the 
WCRT interfaces presented here give rise to a depth-first search algorithm ||22]| which is already more 
precise than the one presented in . 



6 Related Work 

Most interface models in synchronous programming are restricted to causality issues, /. e, dependency 
analysis without considering quantitative time. Moreover, the granularity of dependency is limited. E.g., 
the modules of Andre et al. IS do not permit instantaneous interaction. Such a model is not suitable 
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for compositional, intra-instant, scheduling analysis. Hainque et al. fOl use a topological abstraction 
of the underlying circuit graphs (or syntactic structure of Boolean equations) to derive a fairly rigid 
component dependency model. A component is assumed executable iff all of its inputs are available; 
after component execution all of its outputs become defined. This is fine for concurrent execution but 
too restricted to model single- or multi-threaded execution compositionally. The interface model also 
does not cover data dependencies and thus cannot deal with dynamic schedules. It also does not support 
quantitative resource information, either. 

The causality interfaces of Lee et al. ifTTl are much more flexible. These are functions associating 
with every pair of input and output ports an element of a dependency domain D, which expresses if and 
how an output depends on some input. Causality analysis is then performed by multiplication on the 
global system matrix. Using an appropriate dioid structure D, one can perform the analyses of Hainque 
et. al. im as well as restricted forms of WCRT. Lee's interfaces presuppose a fixed static distinction 
between inputs and outputs and cannot express the difference between an output depending on the joint 
presence of several values as opposed to depending with each input individually. Similarly, there is no 
coupling of outputs, e.g., that two outputs always occur together at "the same time." Thus, they do 
not support full AND- and OR-type synchronisation dependencies for representing multi-threading and 
multi-processing. Also, the model does not include data dependency. The work reported here can be seen 
as an extension of [TT| to include such features. In particular, note that our scheduling interfaces can also 
be used in situations where linear algebra is not applicable, as in the case of network flow problems. 

Recent works ll27l [T3]| combining network calculus ||4j |7l with real-time interfaces are concerned 
with the compositional modelling of regular execution patterns. Existing interface theories fTTlllTlfTSll . 
which aim at the verification of resource constraints for real-time scheduling, handle timing properties 
such as task execution latency, arrival rates, resource utilisation, throughput, accumulated cost of context 
switches, and so on. The dependency on data and control flow is largely abstracted. For instance, 
since the task sequences of Henzinger and Matic |[T3]| are independent of each other, their interfaces 
do not model concurrent forking and joining of threads. The causality expressible there is even more 
restricted than that by Lee et al. 1 17 1 in that it permits only one-to-one associations of inputs with outputs. 
The interfaces of Wandeler and Thiele [27] for modular performance analysis in real-time calculus are 
like those of Henzinger and Matic |[T3l but without sequential composition of tasks and thus do not 
model control flow. On the other hand, the approaches ll27l[T3l can describe continuous and higher-level 
stochastic properties which our interface types cannot. 

AND- and OR-type synchronisation dependencies are important for synchronous programming since 
reachability of control nodes in general depends both conjunctively and disjunctively on the presence 
of data. Also, control branching may be conjunctive (as in multi-threading or concurrent execution) 
or disjunctive (as in single-threaded code). Moreover, execution may depend on the absence of data 
(negative triggering conditions), which makes compositional modelling rather a delicate matter in the 
presence of logical feedback loops. This severely limits the applicability of existing interface models. 
The assume-guarantee style specification iTTl fTSl does not address causality issues arising from feedback 
and negative triggering conditions. The interface automata of Alfaro, Henzinger, Lee, Xiong |[T] [151 
model synchronous macro-states and assume that all stabilisation processes (sequences of micro-states) 
can be abstracted into atomic interaction labels. The introduction of transient states |[T6ll alleviates 
this, but the focus is still on regular (scheduling) behaviour. The situation is different, however, for 
cyclic systems, in which causality information is needed. Our interface algebra is semantically sound 
with respect to feedback and indeed supports causality analysis as a special case: A signal A is causal 
if oA © ^A can be derived in the type theory of a module. Because of the complications arising from 
causality issues, there is currently no robust component model for synchronous programming. We believe 
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that the interface types introduced in this paper, cover new ground towards such a theory. 

Finally, note that our algebra is not intended as a general purpose interface model such as, e.g., the 
relational interfaces of Tripakis et al. [26J. While these relational interfaces permit contracts in first- 
order logic between inputs and outputs, our interfaces only describe propositional relations. Therefore, 
our algebra cannot describe the full functional behaviour of data processing (other than by coding it 
into finite Booleans). Our interfaces are logically restricted to express monotonic scheduling processes 
and the resource consumption inside synchronous instants. Because we use an intuitionistic realisability 
semantics (CuiTy-Howard) we obtain enough expressiveness to deal with causality problems and upper- 
bound scheduling costs. The interface algebra does not aim to cover behavioural aspects of sequences 
of instants such as in approaches based on temporal logics or the timed interfaces of Alfaro, Henzinger 
and Stoelinga L2J, which build on timed automata. The scheduling problem addressed here is a simpler 
problem in the sense that it arises afresh within each synchronous step and does not need to carry (e.g., 
timing) constraints across steps. However, note that our algebra can fully capture finite-state sequential 
transition functions in the standard way by duplicating propositional state variables s using out{s) and 
in{s) as seen in Sec. |5] An inter-instant transition (instantaneous, no clock tick) between and ^2 is 
given by the implication out{s\) D oin{s2) while the intra-instant transition (sequential, upon clock tick) 
is the weak implication -^in{s\) ®out{s2)- In this way, we can derive exact state-dependent worst-case 
bounds across all reachable states of a finite state behaviour. 

The scheduling algebra in this paper extends [21] in that it not only captures concurrent execution 
(as in combinational circuits) but also includes the tensor ® for multi-threading. More subtly, while ll2TI 
is restricted to properties of activation sequences stable under the suffix preordering, here we consider 
the much richer lattice of arbitrary sub-sequences. This paper introduces the theory behind fST] which 
reported on the application to WCRT analysis for Esterel and also provides more detailed information on 
the modelling in Sec.|5] 
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